I am working on a tool that will be sending bulk messages (not spam :) and I need to add a feature that will detect bounced messages. Is there a standard response associated with bounces? Would it be in the header of the body?
This is typically achieved by setting the Return-Path header of your outgoing Mail to a unique Address for every recipient. For example, you could use bounce+userid#example.com if you have a unique userid identifing every recipient.
If the Mail gets bounces, you recieve it and parse the reciever (which will bounce+userid#example.com), you can then take appropriate actions.
Using the + syntax makes it possible to create a single mail-user (bounces#example.com) which recieves all bounces and still distinguish between the recipients.
You can not rely on either the headers or the body of the bounced message to be able to reliably identify the original recipient, especially if you want to automate the process. Even if you add your own custom headers, it's likely that the bouncing server will strip them when it sends notification back to you. And trying to parse text in the body of the message in order to pull out the recipient's email address can be dodgy at best, as there's no standard format and every bounce you get will be different. The only piece of information that will remain completely untouched in a bounce is the return path email address -- the address that your server advertises it wants bounces sent to. Thus, the only way to automate truly accurate bounce catching is to encode the recipient directly into the return path address itself.
This would typically be done by overriding your server's default return path address for each outgoing message, using a unique value per recipient, like bounce-XXXXX#yourdomain.com, where XXXXX is some encoded and/or obfuscated representation of the recipient's email address or some other internal identifier. This technique requires the use of an email server which can support this type of wild card catch-all address so that you don't have to set up a new bounce account for each email address you're sending to. Assuming that, you simply configure the server to dump all such bounce-* emails to your script, which needs only to decode the XXXXX in order to determine who the original recipient was.
If your tool is going to be talking directly to the recipients' SMTP servers, it
might be more advisable to check the error codes returned via the SMTP protocol for
4xx (temporary failure, e.g. "mailbox full") or 5xx (error, e.g. "no such user")
responses. Due to antispam/backscatter prevention mechanisms, you shouldn't rely on
the recipient's server to reply with a non-delivery report whenever a message doesn't
go through.
Related
I have setup a web app that allows subscribers to send emails from my system to their customers. To do this, I take advantage of the ReplyTo function of PHPMailer
e.g. MyWebApp.com
From: noreply#MyWebApp.com
ReplyTo: subscriber#remotedomain.com
To: customer#yahoo.com
This means that all emails that are sent from our system pass all SPAM filters and get delivered with a high rate of accuracy. This appears to satisfy the needs of the subscriber in that, if the customer hits "reply" - the reply is directed to the subscriber: subscriber#remotedomain.com
BUT. What I have discovered is that if the subscriber inputs an invalid email address, the
Mail Delivery System Failure Notice is sent to me at noreply#MyWebApp.com and not the subscriber subscriber#remotedomain.com when it is the subscriber who really needs to know about the problem.
Is there any way, using the setup I have in place, that I can force the Mail Delivery System Failure Notices to go to the intended recipient?
Yes. Bounces are (or at least should be) sent to the SMTP envelope sender, which is the address used in the MAIL FROM SMTP command, which is not necessarily the same as the From address in the message headers. In PHPMailer, the from address is used for this by default (since that's what most want), but you can override it using the Sender property. You would use it like this:
$mail->setFrom('noreply#MyWebApp.com');
$mail->addReplyTo('subscriber#remotedomain.com');
$mail->addAddress('customer#yahoo.com');
$mail->Sender = 'subscriber#remotedomain.com';
This easy enough to say and do, however, it also feeds directly into the mechanism that SPF relies on. SPF does its matching on the envelope sender, not the from address (this is the gap that DMARC bridges), so in order for this to work you would need your customers to add your servers to their domain's SPF records. This is likely to be tricky.
An alternative that doesn't run into SPF issues is to accept bounces to messages you have sent on their behalf, and forward them from your server to them, rather than getting the recipient's server to do that. Be warned though that writing bounce handlers is exceedingly unpleasant!
I'm working with PHP IMAP functions to poll an inbox and process the emails. Sometimes the emails are received via bcc -- this email was bcc'd by the sender. I need to be able to retrieve the actual email bcc'd -- but imap_fetchheader and imap_rfc822_parse_headers don't provide that if the recipient is bcc'd (even though it's in the return spec).
The issue is that I'm using plus addressing (myemail+value#domain.com) as part of my script, so it's not sufficient to know the email landed in my inbox -- I need to know the specific version of the address it was emailed to.
I understand the whole purpose of bcc is to be hidden. But I would think that there should be something in the header of the bcc-recipient to indicate the email was sent to them.
The "bcc address" that message is sent to is not part of the message itself, it is part of the message exchange protocol. It is used on the protocol level of smtp whilst handing over the message to the receiving server. The content that is handed over, so the message payload itself, is something different. There is no way to read that address from a received message by means of a protocol like imap4 or pop3. You'd have to scan and parse the smtp servers log files for that.
You can easily check that yourself: open the source code of a message received. So the original, technical payload including everything. That looks ugly, but it shows all information actually contained in the data. You will not see any mentioning of "bcc" or a "bcc address" in there.
I am using PHPMailer to send emails, I need to rectify which of my emails have been reached successfully to receiver's inbox. Is there any way to get the acknowledgement or delivery receipt for each email sent?
If possible I need those email id's inserted into my MySQL database.
There are several approaches to this, none of which are reliable.
You can request delivery receipts by adding the Disposition-Notification-To header. PHPMailer has built-in support for this:
$mail->ConfirmReadingTo = 'confirmations#example.com';
Not many clients support this, and even if they do, it's likely they have it disabled for security reasons. Generally it's only likely to work within company intranets.
Secondly you can add an opening tracker or beacon image in your message body so that when a clint opens the message, the loading of the image tells you which message was opened. You need to embed a unique identifier for the recipient and/or the message in the URL, such as a hash of the email address and timestamp. Again, this is not reliable because most clients have image loading off by default, or the images may be opened by inbound mail scanners, giving you false positives.
The most effective way is really to get to know your mail server, and handle bounces correctly, but even then, just because a message has been devivered successfully to the recipient's mail server does not tell you whether it reached their inbox, nor whether it has been seen or opened.
I would like to find out all e-mails that have been received by our mail server from a particular IP address, contained in the Message Headers.
It is a static IP, and I have found some already by manual means, but I am trying to find a way to either do this programatically, perhaps using a PHP script with full access on my mail server, or perhaps there is a function within cPanel itself which will do this?
How would one go about searching all e-mail headers for this IP?
You may want to have a look at procmail. It's a tool that can be used to process email messages as they arrive to your mailbox. You can specify the processing on the email message based on any field in the message header. In your case, you would be considering the "Received:" field which displays the IP address upstream email server.
Although procmail is generally used for processing email as it arrives, it is also possible to use it to process existing mail stored in mailboxes if you can cat and pipe the messages from the mailbox to procmail.
There is a simple example in the link below that explains the basics of using procmail.
Howto filter and forward e-mail with procmail: example
I have a website, example.com hosted at godaddy. I was just messing around with PHP's mail function and uploaded the following to my website at example.com:
mail( "someone#yahoo.com", "test", "test message", "From: someone#gmail.com" );
Why does this work? I mean, it shouldn't, right? The "From" address domain isn't "#example.com". Yet, when I check my email at someone#yahoo.com, I get the message from someone#gmail.com... How is it that I'm able to (potentially) send an email from anyone's email account without their password?
This is possible, as in, you can put into the E-Mail headers whatever you want, including a totally arbitrary sender address. You are right, though, security-conscious providers will usually configure their outgoing mail services in a way that allows only sender addresses residing on the server the mail gets sent from; but they don't have to.
Also, on the receiving end, messages where the sender address belongs to a domain that is not associated with the sending mail server very often end up in the Spam folder.
It's (as you already know) very bad practice to make use of this. As to whether the provider is at fault - it could be anything from a sign of trust (if you are the only user on the server, or one of select few clients) to carelessness. You may have reason to complain because if one of your web hosting neighbours misuses this to send spam, the server's IP address might get blacklisted, causing any E-Mail coming from it (legit or not) to get caught in spam filters.
it's because of email format specification.
have a look at the email's header specification, you might refer to the http://en.wikipedia.org/wiki/Email#Header_fields
that is the reason why one should never trust the "from" information once you receive an email.
This is why systems like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) have been introduced.
SPF allows admins to define where email for a particular domain is supposed to originate. In your example, and assuming that SPF records were set up, the records would show that the Go Daddy host from which the mail was sent was not an authorised sender for the gmail.com domain. A (Yahoo) mail server that receives that mail and does SPF validation would probably reject the mail.
DKIM uses digital signatures to allow a sending mail server to show that an email came from the domain it says it came from. In your example, you wouldn't be able to sign your email and make it look like it really came from Gmail, because you don't have their key.
Both these systems require proper SPF/DKIM records to be set up, and also require that the mail server that handles the email for its recipient actually performs the validation.
So don't worry: this problem is being worked on :-)
Whether you should be able to do this is basically a matter of who you ask. The email RFC states that you should. Best practice for hosting and ISP says you shouldn't.
So seen from PHP point of view. Yes you should
Edit:
And btw you're not sending the mail from somebody's account your simply stating that you email is something differrent from what's actually true. Which is basically the same as introducing yourself to a stranger as, let's say "Bill Clinton". If the receiver is paying attention they'll know it's wrong. In the real world because you don't look like him and in the email world you can simply test if the sending server is allowed to rely from that specific domain.